How do Android users know whether an app is genuine?
Currently, the best advice is to study the app’s source, but given they can be loaded from three – the Play Store, from a third-party source, or from an offline source – it’s not always as easy to tell as it should be.
Third-party consumer repositories have a poor reputation, so much so that Android disallows downloading from them by default.
Instead, Google recommends people stick to its Play Store, but even here plenty of malicious apps seem able to wriggle through the supposedly ever-higher security wall thrown up by Google’s Play Protect security.
That leaves offline sources, where large numbers of Android users get their apps in countries with poor or expensive online connectivity.
The APK (Android Package Kit), akin to .exe files on a Windows computer, is the Android file format used to distribute apps.
The problem is that, because users load them from a peer while offline, Android has no way of knowing whether they originated from the Play Store or not, or have been tampered with.
With this problem in mind, Google this week confirmed plans trailed last year to add a “a small amount of security metadata” to each app APK as a way of confirming it originated in the Play Store.
According to Google Play’s product manager, James Bender, this means:
In the future, for apps obtained through Play-approved distribution channels, we’ll be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online.
This will be added to something called the APK signing block – the part of the file used to cryptographically verify an app’s developer and allow them to update without having to ask for complicated permissions.
While this adds no security for the majority of Android users who get their apps from the Play Store, it raises the intriguing possibility that more might one day be distributed offline (with magazines, for instance) on the back of this security tweak.
Of course, this doesn’t address the problem we mentioned at the start of this article – malicious apps that have somehow sneaked into the Play Store itself.
Even Google’s most recent estimate is that it removed 700,000 from this location in 2017 alone, ironically a statistic intended to reassure people (in other words, they were spotted).
Despite all the security Google has added recently, separating friend from foe in the Play Store remains a manual process of checking the developer name, the number and quality of reviews, and the download count. That won’t end soon.
If you encounter an app that looks off on these criteria, consider reporting it to Google. Despite all its much-vaunted automatic security, the company still needs your help.
Bryan
Is there a list somewhere of apps “approved” by Sophos Home? Something other than the uninspired trial-and-error of “well, nope; [uninstall] let’s try this one then…”
I want to replace a couple that worked well (on the surface) but have triggered the “low reputaition” warning.
Paul Ducklin
Low reputation really just means, “We can’t be sure yet because it’s new to the world.”
Laurence Marks
Two questions:
1) What will this do to legitimate archives? For example, I use a formerly-great file explorer of which recent versions have been bloated with adware and unnecessary features. I downloaded what’s conceded to be the last good version from an Android archive website. Will all of the files on archive sites now be inaccessible because they’re unsigned?
2) What about undesirable updates? I’ve taken to looking at what’s changed before I install updated versions. No need to update Solitaire just because the embedded ads were changed. Recently my email program offered an update because the update was the ability to “view [World Cup] game schedules and scores at the top of your inbox.” I also turned down an update to a “swipe-style” keyboard because it added “Make your own GIF to share your emotions” and “New sticker gallery to access over 500 new stickers.” The question is “If either of these apps turns up with an important security fix next week, do I have to also take the futbal scores and stickers?” The answer is “Yes,” isn’t it?
Anonymous
1. It might depend on which version of Android you use. For a recent version of Android, developers on those (presumably legitimate) archive sites will update their APKs in line with Google’s instructions so they won’t disappear.
2. Google’s stamp of authenticity shouldn’t affect whether you decide to update a third-party app.
Mahhn
700,000 malicious apps,,, google notified 0 of the millions of people that those apps even though they have their contact info. Yeah, lots of trust for google, I also trust the NSA not to make malware, monsanto not to kill bees, and tobacco companies not to sell unhealthy things- Not. Reputation builds trust, that is unless you have a bad reputation….
Nobody_Holme
Bad reputation often still build trust, just not the sort you want (trust that you’ll make a known type of mistake, trust in your compettitors, trust in popular antivirus solutions over your own product…)
Nice for those people you help, less nice for you.